Fun Publications wants to take this opportunity to apologize to all of our members.

After many days of analysis, Fun Publications has determined that there is a security issue with our e-commerce systems. We appreciate all of you who have sent in your details. Your help has allowed us to ferret out several different patterns of fraudulent charges that have appeared on some members' cards (any that have been used over the last year with both the club store and our event registration system).

We have several different internet/networking companies looking into the matter. Unfortunately, as of yet, we have not been able to identify any forcible entry either into our internet service provider's servers or network. This is like chasing a ghost through the wires, as unfortunately, the perpetrator did not leave a trail, foot prints or finger prints.

For those of you who have been affected, we apologize for all of your time this has wasted and any inconvenience it has caused you. We understand your frustration as this same type of fraud has happened to everyone in our office on our personal credit cards at some point in the past. Our merchant services provider wants us to remind everyone that even though this can be a huge annoyance for you, the customer, your issuing bank will not hold you responsible for any fraudulent charges that might be placed on your card(s).

We know that this issue has been a huge topic of discussion on all of the boards for the past few weeks. However, we are required to investigate to determine and confirm a security issue thoroughly before making any public statements. This is why we put out a general alert statement two weeks ago.

Until the analysis is finished (can take several weeks) we don't know if the shut down by our former (Jan 31st) e-commerce provider caused the security issue or not. We do know that it has not been limited to those who have purchased before the change to our new provider.

Please, watch your cards closely as this type of security issue appears to be on the increase across the net. No site is 100% safe. You may want to consider having any cards you have used with Fun Publications in the last year replaced.

At this time, we do not know how long our e-commerce site will be offline for both the store and registrations. We will get back to you once we have a solution for this security issue.

After many days of analysis, Fun Publications has determined that there is a security issue with our e-commerce systems.

After many weeks of reading these threads, no jive.

QUOTE

However, we are required to investigate to determine and confirm a security issue thoroughly before making any public statements.

Required by whom?

QUOTE

This is why we put out a general alert statement two weeks ago.

The statement that read as indicating that there was nothing wrong and no connection to the Club?

QUOTE

Please, watch your cards closely as this type of security issue appears to be on the increase across the net. No site is 100% safe. You may want to consider having any cards you have used with Fun Publications in the last year replaced.

Smoke and mirrors. Because it happens to other merchants it doesn't matter that it happened to you on a major scale? That's an insane tract to take in a public statement like this.

QUOTE

At this time, we do not know how long our e-commerce site will be offline for both the store and registrations. We will get back to you once we have a solution for this security issue.

Have you reported this to the proper authorities? Are you PCI compliant? If not, when do you pay your $500,000 fine?

QUOTE

Thanks for your support - Brian

Someone at the Club needs to prevent you from making public statements in the future.

However, we are required to investigate to determine and confirm a security issue thoroughly before making any public statements.

Required by whom?

Law enforcement can request delay of notification if they think it'll impede their investigation into the issue, and the business that suffered the security breach can delay notification until they've identified the scope of the breach and taken measures to re-secure their system (so they don't just, y'know, wave a giant red flag and yell "WE ARE VULNERABLE, PLEASE HACK US AGAIN").

Other than that, they're legally required (at least in the state of Texas, where they're located, and similar laws in effect in 37 out of 50 states in the US) to notify the victims as soon as possible.

QUOTE

QUOTE

At this time, we do not know how long our e-commerce site will be offline for both the store and registrations. We will get back to you once we have a solution for this security issue.

Have you reported this to the proper authorities? Are you PCI compliant? If not, when do you pay your $500,000 fine?

For PCI purposes, FunPub isn't a level 1 organization (they're most likely level 4), and even level 1 organizations aren't subject to fines that large simply for a breach of compliance.

Visa, Mastercard, etc. will be the ones dealing with whether they're PCI compliant or not. And it's going to cost them a lot. But probably closer to $50,000 than $500,000.

What I want to know is, what is the club going to do for those members affected by this? Restitution is more than just two PR statements.

The fines that'll be levied against them by the credit card companies should, theoretically, go toward the cost of issuing replacement cards and having the credit card companies reimburse you for fraudulent transactions. There's still a long way to go for FunPub to recover from this from a public relations standpoint, but from a legal standpoint the system has it pretty well covered.

Would it be feasible at all for FunPub to switch over to using Paypal? That way, they won't touch your credit card info.

It would be more expensive (transaction fees would probably be about 50% higher than they are currently), and there are a lot of issues with Paypal locking down sellers' accounts for 3+ months based on a single unsubstantiated claim.

After many days of analysis, Fun Publications has determined that there is a security issue with our e-commerce systems.

After many weeks of reading these threads, no jive.

QUOTE

However, we are required to investigate to determine and confirm a security issue thoroughly before making any public statements.

Required by whom?

QUOTE

This is why we put out a general alert statement two weeks ago.

The statement that read as indicating that there was nothing wrong and no connection to the Club?

QUOTE

Please, watch your cards closely as this type of security issue appears to be on the increase across the net. No site is 100% safe. You may want to consider having any cards you have used with Fun Publications in the last year replaced.

Smoke and mirrors. Because it happens to other merchants it doesn't matter that it happened to you on a major scale? That's an insane tract to take in a public statement like this.

QUOTE

At this time, we do not know how long our e-commerce site will be offline for both the store and registrations. We will get back to you once we have a solution for this security issue.

Have you reported this to the proper authorities? Are you PCI compliant? If not, when do you pay your $500,000 fine?

QUOTE

Thanks for your support - Brian

Someone at the Club needs to prevent you from making public statements in the future.

I'm sorry, but I have to strongly disagree with you.

Just because it's been talked about in threads for awhile is of little relevance to the actual investigations that need/needed to be done.

It's just not that simple.

We also don't really know the scale. That's an absolute bitch to determine, and while there have been people posting about it, how big is that in percentage terms? These things tend to look larger than they actually are (Not always, of course, and I don't know either way here. But it's incredibly difficult to accurately estimate the scale)

Yet another example of just how technically incompetent Fun Pub really is. I mean you can tell it just by looking at their sites, but then you have things like this. Things that cost fans not just money but their financial security. At some point it would just be easier to have the license pulled and given to someone who knows how to run the web/financial side of things. Mom and Pop operations just don't cut it anymore, not when a franchise has become as high profile as TF. I'd rather Hasbro run the convention and contract out a few long time fans who know the franchise and fan base at this point. That's more or less what Brian did anyway, as he admittedly does not or did not know TF's at the time the license was awarded to FP. The creative product would still stay at the same level, if not improve, and all these ridiculous problems as a result of technical ignorance would be resolved. As it stands now, FP is at least 5 if not closer to 10 years behind in terms of web services. This is simply not acceptable anymore.

Yet another example of just how technically incompetent Fun Pub really is. I mean you can tell it just by looking at their sites, but then you have things like this. Things that cost fans not just money but their financial security. At some point it would just be easier to have the license pulled and given to someone who knows how to run the web/financial side of things.

Agreed, much as I hate to say it.

I mean, I am very happy with the creative side of FunPub, and will always continue to fully support the fiction and art side of things.

But the web and technical sides are just ridiculous. They could improve their web presence a hundredfold just by moving to a new PHP-enabled server and setting up 100% free software, never mind if they invested some money in business software or a pro webmaster... which considering how many members they have times the costs of everything, they ought to be able to afford.

And these sorts of security-related issues could be solved by... you know... using freakin' PayPal. The increased fees would amount to maybe a few bucks extra in prices, tops, and it would avoid the major loss of business caused by things like this.

I mean, while I haven't been hit yet, now I'm going to have to change my debit card just in case... and since I don't have any checks or other cards to use, paying for things is going to be irritating until the reissue is all finished.